Question: One of our employees was browsing the web when he suddenly lost connection! Can you help him figure out why? ``` ❯ tshark -r file.pcap -T fields -e ip.src -e ip.dst | tr '\t' '\n' | sort -u: Recorded IPs: 185.125.190.58 192.168.100.1 192.168.100.10 192.168.100.20 192.168.100.30 ``` ``` ❯ tshark -r chall.pcap -Y http.request -T fields -e ip.dst | sort -u 192.168.100.1 ``` ``` ❯ tshark -r chall.pcap -Y http.request -T fields -e ip.src | sort -u HTTP Clients: 192.168.100.10 192.168.100.20 ``` Notable Stuff: Capture Timeframe: 17:17:49 -> 17:21:21 UTC 192.168.100.20 stopped sending packets completly by May 6, 2025 17:21:14 All html files delivered are exactly the same 192.168.100.1 is connected over ssh to 192.168.100.20 192.168.100.10 sends a lot of tcp retransmissions it probably lost connection => This is the employee probably The pcap file contained a lot of arp requests. This made me look for signs of arp poisoning: ``` ❯ tshark -r chall.pcap -Y "arp.opcode == 2" -T fields -e arp.src.proto_ipv4 -e eth.src | sort | uniq -c 6 192.168.100.10 bc:24:11:3e:f3:a5 6 192.168.100.10 bc:24:11:78:c8:64 2 192.168.100.1 bc:24:11:74:12:33 32 192.168.100.1 bc:24:11:78:c8:64 3 192.168.100.20 bc:24:11:e8:04:b1 1 192.168.100.254 26:55:ad:5c:79:a6 1 192.168.100.254 3a:d3:ba:f1:51:d3 1 192.168.100.254 56:0c:c0:94:27:a3 1 192.168.100.254 6e:e9:35:c7:a8:87 3 192.168.100.30 bc:24:11:78:c8:64 ``` From this I created a list of all IP addresses with their corresponding mac addresses 192.168.100.10: - bc:24:11:3e:f3:a5 - bc:24:11:78:c8:64 192.168.100.1: - bc:24:11:74:12:33 - bc:24:11:78:c8:64 192.168.100.20: - bc:24:11:e8:04:b1 192.168.100.254: - 26:55:ad:5c:79:a6 - 3a:d3:ba:f1:51:d3 - 56:0c:c0:94:27:a3 - 6e:e9:35:c7:a8:87 192.168.100.30: - bc:24:11:78:c8:64 => 192.168.100.10, 192.168.100.30, 192.168.100.1 are connected to the same interface => This is probably the Attacker I labeled the interfaces with the help of .config/wireshark/ethers with the information i had. ``` ❯ cat ./config/wireshark/ethers bc:24:11:3e:f3:a5 Employee bc:24:11:74:12:33 Server bc:24:11:e8:04:b1 SSH_Connection bc:24:11:78:c8:64 Attacker ``` As the cause of the disconnect is the hint to the flag I started looking for strange data / repeating patterns. I specifically looked at the arp traffic the suspected attacker generated. ``` ❯ tshark -r chall.pcap -Y "eth.src == bc:24:11:78:c8:64" 102 9.721959 192.168.100.30 → 185.125.190.58 NTP 90 NTP Version 4, client 157 15.490011 Attacker → SSH_Connection ARP 42 192.168.100.30 is at bc:24:11:78:c8:64 649 47.001218 192.168.100.30 → 192.168.100.10 ICMP 98 Echo (ping) request id=0x5cfe, seq=1/256, ttl=64 655 47.003303 192.168.100.30 → 192.168.100.1 ICMP 98 Echo (ping) request id=0x5cff, seq=1/256, ttl=64 850 51.919433 Attacker → SSH_Connection ARP 42 192.168.100.30 is at bc:24:11:78:c8:64 852 52.054555 Attacker → Employee ARP 42 192.168.100.30 is at bc:24:11:78:c8:64 853 52.094738 Attacker → Employee ARP 42 Who has 192.168.100.10? Tell 192.168.100.30 1107 67.340041 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64 1112 67.846893 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64 1117 68.353860 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64 1149 68.860876 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64 1153 69.367942 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64 1192 70.874804 Attacker → Server ARP 42 192.168.100.10 is at bc:24:11:78:c8:64 (duplicate use of 192.168.100.1 detected!) 1193 70.880994 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64 1196 71.387822 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64 1201 71.894817 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64 1204 72.401811 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64 1211 72.908807 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64 1219 74.415759 Attacker → Server ARP 42 192.168.100.10 is at bc:24:11:78:c8:64 (duplicate use of 192.168.100.1 detected!) 1220 74.420757 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64 1224 74.927766 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64 1227 75.434762 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64 1231 75.941762 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64 1233 76.448768 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64 1243 77.954716 Attacker → Server ARP 42 192.168.100.10 is at bc:24:11:78:c8:64 (duplicate use of 192.168.100.1 detected!) 1244 77.959717 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64 1248 78.465727 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64 1253 78.971743 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64 1255 79.478726 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64 1283 79.985841 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64 1385 81.492711 Attacker → Server ARP 42 192.168.100.10 is at bc:24:11:78:c8:64 (duplicate use of 192.168.100.1 detected!) 1386 81.497642 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64 1397 82.003674 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64 1399 82.510696 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64 1402 83.016682 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64 1423 83.522648 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64 1525 85.029614 Attacker → Server ARP 42 192.168.100.10 is at bc:24:11:78:c8:64 (duplicate use of 192.168.100.1 detected!) 1526 85.034558 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64 1543 85.540595 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64 1546 86.046628 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64 1548 86.553617 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64 1552 87.060604 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64 1560 88.567556 Attacker → Server ARP 42 192.168.100.10 is at bc:24:11:78:c8:64 (duplicate use of 192.168.100.1 detected!) 1561 88.572559 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64 1564 89.079578 Attacker → Employee ARP 51 192.168.100.1 is at bc:24:11:78:c8:64 ``` It is very suspicious that the Attacker sends multiple ARP replies for 192.168.100.1 to the Employee which has been observed as belonging to bc:24:11:74:12:33 (Server) without a preceeding ARP request from the Employee. Looking further into these suspicous ARP replies I noticed that they are the only ones to contain trailer data in the ethernet packet. ``` ❯ tshark -r chall.pcap -Y "eth.src == bc:24:11:78:c8:64 and arp.opcode == 2" -T fields -e frame.number -e eth.trailer -e _ws.col.info 157 192.168.100.30 is at bc:24:11:78:c8:64 850 192.168.100.30 is at bc:24:11:78:c8:64 852 192.168.100.30 is at bc:24:11:78:c8:64 1107 015a334a6c6558746b 192.168.100.1 is at bc:24:11:78:c8:64 1112 024d5752664d563971 192.168.100.1 is at bc:24:11:78:c8:64 1117 0364584d335832646c 192.168.100.1 is at bc:24:11:78:c8:64 1149 044e3139774d44467a 192.168.100.1 is at bc:24:11:78:c8:64 1153 056232347a5a48303d 192.168.100.1 is at bc:24:11:78:c8:64 1192 192.168.100.10 is at bc:24:11:78:c8:64 (duplicate use of 192.168.100.1 detected!) 1193 015a334a6c6558746b 192.168.100.1 is at bc:24:11:78:c8:64 1196 024d5752664d563971 192.168.100.1 is at bc:24:11:78:c8:64 1201 0364584d335832646c 192.168.100.1 is at bc:24:11:78:c8:64 1204 044e3139774d44467a 192.168.100.1 is at bc:24:11:78:c8:64 1211 056232347a5a48303d 192.168.100.1 is at bc:24:11:78:c8:64 1219 192.168.100.10 is at bc:24:11:78:c8:64 (duplicate use of 192.168.100.1 detected!) 1220 015a334a6c6558746b 192.168.100.1 is at bc:24:11:78:c8:64 1224 024d5752664d563971 192.168.100.1 is at bc:24:11:78:c8:64 1227 0364584d335832646c 192.168.100.1 is at bc:24:11:78:c8:64 1231 044e3139774d44467a 192.168.100.1 is at bc:24:11:78:c8:64 1233 056232347a5a48303d 192.168.100.1 is at bc:24:11:78:c8:64 1243 192.168.100.10 is at bc:24:11:78:c8:64 (duplicate use of 192.168.100.1 detected!) 1244 015a334a6c6558746b 192.168.100.1 is at bc:24:11:78:c8:64 1248 024d5752664d563971 192.168.100.1 is at bc:24:11:78:c8:64 1253 0364584d335832646c 192.168.100.1 is at bc:24:11:78:c8:64 1255 044e3139774d44467a 192.168.100.1 is at bc:24:11:78:c8:64 1283 056232347a5a48303d 192.168.100.1 is at bc:24:11:78:c8:64 1385 192.168.100.10 is at bc:24:11:78:c8:64 (duplicate use of 192.168.100.1 detected!) 1386 015a334a6c6558746b 192.168.100.1 is at bc:24:11:78:c8:64 1397 024d5752664d563971 192.168.100.1 is at bc:24:11:78:c8:64 1399 0364584d335832646c 192.168.100.1 is at bc:24:11:78:c8:64 1402 044e3139774d44467a 192.168.100.1 is at bc:24:11:78:c8:64 1423 056232347a5a48303d 192.168.100.1 is at bc:24:11:78:c8:64 1525 192.168.100.10 is at bc:24:11:78:c8:64 (duplicate use of 192.168.100.1 detected!) 1526 015a334a6c6558746b 192.168.100.1 is at bc:24:11:78:c8:64 1543 024d5752664d563971 192.168.100.1 is at bc:24:11:78:c8:64 1546 0364584d335832646c 192.168.100.1 is at bc:24:11:78:c8:64 1548 044e3139774d44467a 192.168.100.1 is at bc:24:11:78:c8:64 1552 056232347a5a48303d 192.168.100.1 is at bc:24:11:78:c8:64 1560 192.168.100.10 is at bc:24:11:78:c8:64 (duplicate use of 192.168.100.1 detected!) 1561 015a334a6c6558746b 192.168.100.1 is at bc:24:11:78:c8:64 1564 024d5752664d563971 192.168.100.1 is at bc:24:11:78:c8:64 ``` There is a repeating pattern in the ARP replies. The block ``` 1107 015a334a6c6558746b 192.168.100.1 is at bc:24:11:78:c8:64 1112 024d5752664d563971 192.168.100.1 is at bc:24:11:78:c8:64 1117 0364584d335832646c 192.168.100.1 is at bc:24:11:78:c8:64 1149 044e3139774d44467a 192.168.100.1 is at bc:24:11:78:c8:64 1153 056232347a5a48303d 192.168.100.1 is at bc:24:11:78:c8:64 ``` is sent multiple times. I suspect that the flag are the 5 trailer entries appended and decoded ``` 015a334a6c6558746b024d5752664d5639710364584d335832646c044e3139774d44467a056232347a5a48303d ``` Each trailer entry starts with 0. I assume this is some id. I removed the leading id from the encoded_flag. ``` 5a334a6c6558746b4d5752664d56397164584d335832646c4e3139774d44467a6232347a5a48303d ``` Decoding with ``` echo "5a334a6c6558746b4d5752664d56397164584d335832646c4e3139774d44467a6232347a5a48303d" | xxd -r -p | base64 -d ``` yields the flag: `grey{d1d_1_jus7_ge7_p01son3d}`